Vector
Vector

Choose your topics

Blogs
What is Risk Management in Cybersecurity?

Let’s explore the essentials of risk management in the context of cybersecurity to help you understand how to identify, assess and mitigate cyber threats effectively.

Cyber Risk Management Enterprise Risk Management
Blogs
3 Best Practices for Data Privacy

With more technology comes more data, and with that a greater need for data privacy enforcement. What best practices should you be following?

Data Privacy
Blogs
How to Prioritize Your Third-Party Risks

How can you prioritize effectively and enhance your organization’s security posture? Here are our top tips for setting up realistic, sustainable processes.

Third-Party Risk Management GRC
Blogs
Top Tips to Save Time When Assessing Third-Party Risks

Is assessing third-party risks taking up too much of your time? How can you make the process more effective and efficient? Find out in the latest post from SureCloud.

Third-Party Risk Management GRC
Blogs
The GRC Trends to Look Out for in 2024

Our GRC experts at SureCloud share their 2024 predictions for the world of governance, risk and compliance.

GRC
Blogs
The Top 5 Challenges of Third-Party Risk Management

With the supply chain now seen as a legitimate attack path, what can your organization do? Let’s explore 5 challenges of TPRM and how to overcome them.

Third-Party Risk Management GRC
Blogs
What is Third-Party Risk Management?

What is third-party risk management and how should you approach it? Find out in this post.

Third-Party Risk Management GRC
Blogs
Questions You Should Ask when Preparing For Your First Pen Test

Understand the processes that you and your chosen pentest provider will travel through for your first pen test, from the initial point to the day the test starts.

Penetration Testing
Blogs
TPRM Blog 6-Writing Clear Questions

Our GRC Practice Director explores the importance of clear communication and how to achieve it in your third party questionnaires. Read more here.

Third-Party Risk Management GRC
Vector (7)
Vector-1
Penetration Testing

Ensuring Penetration Testing Keeps Pace with Business Innovation

Ensuring Penetration Testing Keeps Pace with Business Innovation
Written by

Luke Potter

Published on

20 May 2018

Ensuring Penetration Testing Keeps Pace with Business Innovation

 
 

SureCloud’s Cybersecurity Practice Director, Luke Potter, explains how standard penetration testing models leave customers in the dark, and what can be done to improve support after exposing an organisation’s vulnerabilities.

Penetration testing (Pen Testing) is a valuable service that informs companies about vulnerabilities in their systems, applications, and processes. As organisations adopt an increasing number of cloud solutions and services, and as cyber-attacks rise, the demand for pen testing is set to rise at a compound annual growth rate (CAGR) of 13.9% over the next ten years.

This is partly driven by the continued threat of data breaches, which are becoming more numerous and severe, attracting the public’s outrage with companies who aren’t careful with data. Pentesting is, therefore, becoming ever more critical to businesses. GDPR officially came into force in May 2018, introducing potential fines of up to €20m*for those that fail to protect their customers’ data, it’s likely that more organisations will be turning to pen testing to help them achieve maximum security for their data.

However, while there is a growing demand for pen testing, it is critical that organisations ensure they work with providers that utilise the latest methods to ensure optimal effectiveness.

Today’s way – Pentesting results delivered in a PDF report

Currently, most organisations tend to procure penetration testing on a one-off or annual basis. It’s then performed by a vendor and results are delivered in a static report on the organisation’s vulnerabilities. The organisation is then responsible for interpreting the results and enacting changes based on the recommendations provided. Managing the remediation process this way is not only inefficient, but it’s ineffective and can lead to errors, wasted time, and unresolved issues.

After a pen test is complete, most testing providers leave their customers with a PDF that is potentially hundreds of pages long. They will be given a list of things to resolve but extracting a to-do list from the report ends up in cutting and pasting information, putting it into emails, annotating it, and trying to create spreadsheets out of the information provided in the report. As such, tracking what you’ve fixed and what you haven’t is particularly difficult.

Revolutionising the Pentesting – Pentest-as-a-Service

A better model, on the other hand, can be achieved when providers offer pentest-as-a-service (PTaaS). The scope of this could operate as a 12-month based engagement in which the vendor performs penetration tests as required and delivers the results in an interactive cloud-based platform, providing ongoing support throughout the remediation cycle. This allows the customer to focus on where their work starts rather than where the Pentesters’ work finishes.

The ideal Platform will enable customers to manage their entire remediation process, extract customised reports of the vulnerability data, assign vulnerabilities to individuals or teams for resolution, and collaborate with other teams or individuals within the system. It would be provided in an accessible format, with continued support from your Pen Testing team to help interpret any nuance of the report or general guidance around cybersecurity best practice.

Why should organisations adopt the Pentest-as-a-Service model?

This subscriber-based model is much more cost-effective than the traditional one. Instead of conducting the remediation process on your own, the new pentest-as-a-service model offers direct access to your cybersecurity experts, who identified your vulnerabilities. This helps your organisation’s IT team manage remediation efficiently and effectively, leaving you more secure.

Also, PTaaS provides the flexibility and scalability demanded by businesses that may also require more Pen Testing than they once did. Previously, when organisations’ IT was more static, and applications and hardware were deployed less frequently, a single annual test on a business’ networks or applications was adequate.

However, with IT now more dynamic and constantly changing, the typical organisation now deploys more new applications than they used to, all of which comes with the increased risk of inadvertently introducing a new vulnerability. The ‘annual’ penetration test cannot keep up with the pace of business change, whereas, in contrast, PTaaS provides the scope for conducting multiple tests throughout the year.

Furthermore, the PTaaS model provides these reports in an interactive Platform rather than a static report, enabling each vulnerability to be addressed much more effectively. This removes the need for data to be extracted to track and manage remediation, ensuring that issues are not missed or overlooked as businesses handle multiple reports.

With the increasing reliance on Pen Testing, it’s clear that current models can no longer deliver the level of assurance in security as they once did. What’s needed is a service that not only exposes organisations’ vulnerabilities but helps them patch them up effectively and efficiently.

*or up to 4% of annual turnover, whichever is greater.

About Luke Potter 

Luke oversees SureCloud Cybersecurity Solutions. He also manages our Secure Private Cloud. Luke is a recognised cybersecurity expert. He is a CHECK team leader, Tiger Scheme senior security tester, ISO 27001 lead auditor and Microsoft Certified enterprise administrator. Previously, Luke managed the IT team at a large UK insurance brokerage.

About SureCloud

SureCloud provides Cybersecurity services, and cloud-based, Governance, Risk and Compliance products, which reinvent the way you manage risk. SureCloud also offers a wide range of Cybersecurity testing and assurance services, where we stay with you throughout the entire test lifecycle, from scoping through to vulnerability discovery and remediation. Certified by the National Cyber Security Centre (NCSC) & CREST and delivered using the innovative Pentest-as-a-Service (utilizing a highly configurable technology platform ), SureCloud acts as an extension of your in-house security team. Ensuring you have everything you need to improve your risk posture.